ASDM connection reset

icomparateur · ‎01-01-2008

Hello,

I just upgraded my Cisco PIX 515E-R-DMZ with PIX software 8.0(3) : as recommended on http://www.cisco.com/en/US/customer/docs/security/pix/pix80/release/notes/prn803.html I first loaded the PIX 8.0(3) image, then restarted the device to complete with ASDM upgrade. Since the PIX restarted, everytime I try to connect to it, I get a connection reset message :

- Using ASDM Launcher, it says "Unable to launch ASDM from xx.xx.xx.xx Connection reset

- Using HTTPS, by typing https://xx.xx.xx.xx I get a "The connection was reset" message.

It means I cannot access my PIX anymore at this time. Any suggestion?

Thanks.

JORGE RODRIGUEZ · ‎01-01-2008

Hi Frederic, this is what I think is happening, you should have tftp both the 8.0(3) as well as the corresponding asdm version for 8.0 into pix then reboot, but because you upgraded the code and not asdm, asdm previous version is having issues loading with the new pix code. If in fact asdm was also upgraded in this process then I would suggest to tftp asdm image again into pix.. let us know if you need fruther assistance..

Rgds

Jorge

Jorge Rodriguez

husycisco · ‎01-01-2008

Hi Frederic

First, uninstall any previous version of ASDM from your PC

Then in CLI, type dir and check the ASDM image name. Then issue the following command

asdm image flash:/xxx.bin

Also make sure http server enable and http server x.x.x.x inside commands are issued

Regards

icomparateur · ‎01-02-2008

Ok I could connect using SSH, and copied the correct ADSM bin (6.0.3). The problem still persists, even with that ASDM version. I still get the same messages.

The "show version" command displays :

Cisco PIX Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 19:50 by builders

System image file is "flash:/pix.bin"

Config file at boot was "startup-config"

Christopher Dreier · ‎01-02-2008

Frederic,

Could your HTTP server possibly have been disabled or enabled on a different port? Maybe the PC that you are trying to access with is not in the http server's acl?

"show run http" will reveal any problems there.

Thanks,

-=Blayne

icomparateur · ‎01-02-2008

Ok think I'm finding some clues, thanks everyone for the replies.

Before upgrading, I was always accessing the PIX ASDM through a VPN connection, with the inside interface IP. Seems that the 8.0(3) has screwed something in the config, and that those packets are now dropped.

I added a "http 0.0.0.0 0.0.0.0 outside" (just as a temporarily fix to check), and now I can access the ASDM from outside with no problem, even when I'm not connected to the VPN (by using the outside interface IP)

I would like to access the ASDM using my inside IP (192.168.X.1), once connected to the VPN that has a pool like 192.168.Y.0/24. I've got a rule that says "access-list outside_access_in extended permit ip 192.168.Y.0 255.255.255.0 any". Right now in the ASDM list I've got :

http 0.0.0.0 0.0.0.0 outside

http 192.168.X.0 255.255.255.0 inside

http 192.168.Y.0 255.255.255.0 outside

I'm not sure of the last one: is that correct ?

JORGE RODRIGUEZ · ‎01-02-2008

the last one make perfect sence as long as you are comming from the 192.168.Y.0 network

but it should be http 192.168.Y.0 255.255.255.0 inside.

I understand you issue http 0.0.0.0 0.0.0.0 outside but it is best to not use this statament if your outside faces internet public network , instead you can use ssh 0.0.0.0 0.0.0.0 outside if you ever want to connnect to pix from the outside interface.

Rgds

Jorge

Jorge Rodriguez

icomparateur · ‎01-02-2008

I noticed some changes in the config since the upgrade.

Before - PIX 7.0(2)

group-policy AdminAccess attributes

[...]

nac disable

Now - PIX 8.0(3)

nac-policy AdminAccess-nac-framework-create nac-framework

reval-period 36000

sq-period 300

group-policy AdminAccess attributes

[...]

AdminAccess-nac-framework-create

Could the behavior change with my VPN connection be related to that new lines ?

Also noticed that since the upgrade, there is another new line : "dynamic-access-policy-record DfltAccessPolicy"

icomparateur · ‎01-02-2008

Thanks Jorge. I changed for "http 192.168.Y.0 255.255.255.0 inside", but still get the "The connection was reset" when trying to connect to https://192.168.X.1 or accessing with ASDM launcher (once connected to the VPN)

The "http 0.0.0.0 0.0.0.0 outside" statement is just as a temporary fix, as I'm not really confortable with the CLI (and Cisco products in general). I'll remove it immediatly after fixing this :-)

icomparateur · ‎01-02-2008

Ok seems that the problem can be fixed by adding the command "management-access inside". That command was not in the previous config, and it was working perfectly without it. Is there any problem / considerations to add that command ?

Other question: can I safely put "nac-settings none" instead of "nac-settings value AdminAccess-nac-framework-create", considering the way the nac policy is defined right now :

nac-policy AdminAccess-nac-framework-create nac-framework

reval-period 36000

sq-period 300

JORGE RODRIGUEZ · ‎01-02-2008

Frederic glad you got it resolved with management-access inside, how could I have missed that! this will allow pix management through the vpn tunnel.., this is a good one to remember, I use vpn concentrator instead of asa and vpn ip-pool using external DHCP windows server.

personally have not play with nac in asa, someone may provide you with right answer.

Rgds

Jorge

Jorge Rodriguez

vrush_192000 · ‎07-22-2008

Dear Jorge,

I have the same problem, I am not able to access PIX through ASDM as well as SSH. From inside network we are trying to this access on inside IP address of PIX firewall. Here one more thing It was working till yesterday.

Getting "Unable to luach ASDM from 1.x.x.x. Connection reset" but I can take control of secondary standby PIX firewall.

It is PIX 515E and IOS 7.0.1

Can you plz help in this??

JORGE RODRIGUEZ · ‎07-23-2008

Vrushali , will reply through your other thread..

Jorge Rodriguez